To accomplish this, create a new sub-org for that user with a single root user. This root user should only have the end user’s email or phone number associated with it, and no other authenticators, which ensures that only the end user can claim the pre-generated wallet. When the end user wants to claim the wallet, they can complete email auth flow to authenticate and sign a transaction or add a new authenticator.